April 2, 2015

QUESTION:    May physicians text or e-mail patient information to one another if such texts or e-mails are directly related to patient care? If so, does HIPAA require that such transmissions be encrypted?

ANSWER:       Any discussion of sending Protected Health Information (“PHI”) via text or e-mail should distinguish between: (1) the HIPAA Privacy Rule and (2) the HIPAA Security Rule:

(1)       The Privacy Rule is concerned with WHY information is being used or disclosed. Is there a permissible purpose? There is no violation of the Privacy Rule if a text or e-mail is for a treatment purpose.

(2)        The Security Rule is concerned with HOW information is transmitted and stored. Thus, while it may be appropriate for one physician to disclose PHI to another physician for treatment purposes, the Security Rule could be violated if the method used to transmit that information is improper.

The Security Rule has three categories of requirements:

(i)         Standards.

(ii)        Required Implementation Specifications.

(iii)       Addressable Implementation Specifications.

Covered entities must comply with all “Standards” and “Required Implementation Specifications.” As the name implies, “Addressable Implementation Specifications” do not always have to be implemented. Instead, each covered entity must evaluate whether an Addressable Implementation Specification is a “reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting” PHI. If so, the Addressable Implementation Specification must be implemented. If not, the covered entity must consider whether an alternative measure to protect security is feasible and must document its conclusions.

Encryption is an Addressable Implementation Specification. Thus, covered entities are expected to encrypt texts and e-mails if doing so is a “reasonable and appropriate safeguard in its environment.” In evaluating this question, covered entities should consider whether encryption would interfere with patient care (e.g., undue delays in transmission, retention of encrypted transmissions, etc.).